Using Keycloak with Shibboleth/WAYF/SAMLDS


I would like to connect Keycloak to the DFN AAI. Essentially, they provide a WAYF (WAYF - Tools - Support - SWITCHaai - SWITCH “Where are you From”) which then redirects to SAML2 IDP of an academic institution. They call this “SAML Discovery Service” (SAMLDS).

I this supported in any way by Keycloak?

Best wishes,

You can add KC manually to DFN-AAI (both IdP and SP role will work). But there is no support for an automated processing of the DFN-AAI (or any other SAML2 based) federation metadata in KC. All you can do is to add the metadata-provided SPs or IdPs manually to your KC. Or you use a script or similar to dynamically configure the KC according to the DFN-metadata, using the admin rest API.


Thanks for the reply. That’s what I do in the beginning.

I would probably have to write a new type of Authentication source to Keycloak in parallel to “Login with Google” that would resolve the SAMLDS/WAYF and then use the selected IDP, right?

This authentication source would have run the complete SAML authentication process or add and configure the DFN-AAI IdPs as identity providers in KC…